ZooKeeper ACLs Best Practices: HDFS
You must follow the best practices for tightening the ZooKeeper ACLs or permissions for HDFS when provisioning a secure cluster.
-
ZooKeeper Usage:
-
hadoop-ha
-hdfs zkfc automatic NameNode failover
-
-
Default ACLs:
-
hadoop-ha
-world: anyone:cdrwa
-
-
Security Best Practice ACLs/Permissions and Required Steps:
-
hadoop-ha
-sasl: nn:cdrwa
-
-
For secured clusters, the recommended ACL is
sasl:nn:rwcda
. To set this, perform the following steps:-
Set
ha.zookeeper.acl
tosasl:nn:rwcda
as an advanced configuration snippet using Cloudera Manager.Configure the value from HDFS > Configuration > Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml.
-
Set
HADOOP_ZKFC_OPTS
as an advanced configuration snippet using Cloudera Manager.Add the following value from HDFS > Configuration > HDFS Replication Environment Advanced Configuration Snippet (Safety Valve) for hadoop-env.sh:-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/conf/hdfs_jaas.conf -Dzookeeper.sasl.clientconfig=Client ${HADOOP_ZKFC_OPTS}
-
On both the NameNodes, create /etc/hadoop/conf/hdfs_jaas.conf as the root user with the following contents:
Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/cdep/keytabs/hdfs.keytab" principal="nn/<HOST>@EXAMPLE.COM"; };
nn/<HOST>@EXAMPLE.COM
must be changed to the actual hostname and realm; for example,nn/c6401.cloudera.com@
. To get the actual principal, on both the NameNodes, run the following command as an hdfs user:EXAMPLE.COM
klist -k /etc/security/keytabs/nn.service.keytab
. -
Stop the two ZKFCs.
-
On one of NameNodes, run the command as an hdfs user:
hdfs zkfc -formatZK -force
. -
Start the two ZKFCs.
-